IR 05000269/2000004
| ML20113E940 | |
| Person / Time | |
|---|---|
| Site: | Oconee  |
| Issue date: | 05/12/2020 |
| From: | Christopher Hunter NRC/RES/DRA/PRB |
| To: | |
| Hunter C (301) 415-1394 | |
| References | |
| IR 2000004, IR 2001008 | |
| Download: ML20113E940 (41) | |
Text
Final Precursor Analysis Accident Sequence Precursor Program --- Office of Nuclear Regulatory Research June 25, 2003 Oconee Lack of assurance of high-pressure injection and station auxiliary service water pump following postulated severe tornado event Units 1, 2, and 3 Event Date Inspection Report No CDP = 5x10-6, Unit 1 04/01/2000 50-269/00-04 and 50-269/01-08 CDP = 4x10-6, Units 2 & 3 Condition Summary This analysis involves two potential conditions occurring during an overlapping time period: the potential failure of the high-pressure injection (HPI) system following a tornado event, and the inability to align the station auxiliary service water (ASW) pump to supply lake water to the steam generators within 40 minutes following a design basis tornado.
Potential failure of the HPI system. An NRC inspection identified a condition that would result in a potential failure of the HPI system following a tornado event (Refs. 1 and 2). The condition involved the lack of assurance that the HPI pump could operate for the necessary time frame (24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />), using the spent fuel pool as the suction source following tornados of F3, F4, or F5 intensity. During this scenario, procedure AP/1,2,3/A/1700/006, Natural Disaster, requires operators to manipulate manual valves to align the HPI pump suction header to the spent fuel pool upon the unavailability of the borated water storage tank.
Initial calculations by the licensee for this mode of operation had been performed using nonconservative assumptions and an inadequate consideration of pressure, temperature, and hydraulic requirements. There was also a lack of testing using the HPI pump in this configuration. New calculations performed for this mode of operation indicated that the HPI pump would lose suction at 7 hours8.101852e-5 days <br />0.00194 hours <br />1.157407e-5 weeks <br />2.6635e-6 months <br /> (Units 1 and 2) or 6 hours6.944444e-5 days <br />0.00167 hours <br />9.920635e-6 weeks <br />2.283e-6 months <br /> (Unit 3) due to the lowering water level in the spent fuel pool and the increasing water temperature in the pool, causing flashing and steam binding of the pump.
Inability to align the station auxiliary service water (ASW) pump. A subsequent NRC inspection (Ref. 3) identified conditions that would prevent the operators from aligning the station ASW pump to supply lake water to the steam generators within the required time of 40 minutes following a postulated design basis tornado. First, the operators took more than 60 minutes to complete the procedure during a simulated exercise on January 27, 2000. Second, the procedure that includes the local operation of manual-operated steam generator atmospheric dump valves (required to depressurize the steam generator to below the 70-psig discharge pressure of the station ASW pump) did not consider the fact that these valves may not be accessible within the required time due to effects of a tornado or from tornado debris.
Condition duration. The first condition has existed since the spent fuel pool was first credited as a suction source for HPI (before 1990) (Ref. 2). The second condition has existed since the local operation of the steam generator atmospheric dump valves for ASW pump injection was credited in the IPEEE submittal dated December 21, 1995 (Ref. 4).
E
IR 50-269/00-04 and 50-269/01-08 For the purpose of this analysis, these two conditions occurred over a common 1-year period,1 through March 22, 2000 (Refs. 2 and 4).
Analysis Results
- Importance2 Two different models were used for Unit 1 versus Units 2 and 3 to account for the difference in reactor coolant pump (RCP) seal design. For each unit, the risk significance of the two conditions ([1] the HPI pump being unable to use the spent fuel pool as the suction source for the necessary time frame and [2] the inability to align the station ASW pump to supply the steam generators following a severe tornado) is determined by subtracting the nominal core damage probability from the conditional core damage probability:
Unit 1 Conditional core damage probability (CCDP) = 4.2 x 10-5 Nominal core damage probability (CDP) = 3.7 x 10-5 Importance ( CDP) = 5 x 10-6 The estimated importance (CCDP-CDP) for the combined conditions is 5 x 10-6. This is an increase of 5 x 10-6 over the nominal CDP over a 1-year period when both conditions coexiste The Accident Sequence Precursor Program acceptance threshold is an importance ( CDP) of 1 x 10- Units 2 and 3 Conditional core damage probability (CCDP) = 2.9 x 10-5 Nominal core damage probability (CDP) = 2.5 x 10-5 Importance ( CDP) = 4 x 10-6 The estimated importance (CCDP-CDP) for the combined conditions is 4 x 10-6. This is an increase of 4 x 10-6 (for each unit) over the nominal CDP over a 1-year period when both conditions co-existe The Accident Sequence Precursor Program acceptance threshold is an importance ( CDP) of 1 x 10- The ASP Program limits the conditional assessment of risk to a 1-year perio Since this condition did not involve an actual initiating event, the parameter of interest is the measure of the incremental increase between the conditional probability for the period in which the condition existed and the nominal probability for the same period but with the condition nonexistent and plant equipment available. This incremental increase or importance is determined by subtracting the CDP from the CCDP. This measure is used to assess the risk significance of hardware unavailabilities especially for those cases where the nominal CDP is high with respect to the incremental increase of the conditional probability caused by the hardware unavailabilit S
IR 50-269/00-04 and 50-269/01-08
- Dominant sequence The dominant core damage sequence (Tornado Sequence 29, see Figure 1) for this condition assessment involves the following:
6 Tornado damage results in the loss of the three 4160-V ac safety-related buses in the turbine building, rendering the decay heat removal (DHR) system and the motor-driven EFW pumps inoperabl The turbine-driven EFW pump fails to provide secondary side coolin The pressurizer safety lifts and reclose The ASW system fails to provide secondary side cooling and, as a result, piggy-back cooling is required. Because the DHR system is failed, piggy-back operation is unavailable and this sequence leads to a core damage end state.
- Results tables 6 The conditional probability of the dominant sequence is shown in Table The event tree sequence logic for the dominant sequence is provided in Table 2 The conditional cut sets for the dominant sequence are provided in Table 3.
Modeling Assumptions
- Assessment summary This event was modeled as an at-power condition assessment with failure of the HPI pump for long-term heat removal when aligned to the spent fuel pool and failure to align the station ASW pump following a postulated tornado event over a common 1-year perio Both conditions were analyzed together. Two analyses were performedone for Unit 1 and one for Units 2 and 3due to differences in the reactor coolant pump seal designs.
- ASP analysis approach The Revision 2QA of the Oconee Simplified Plant Analysis Risk (SPAR) model (Ref. 5)
was used for this assessment. The SPAR Revision 2QA model includes event trees for transients (including loss of feedwater and a transfer tree for anticipated transient without scram or ATWS), loss of offsite power events (including a transfer tree for station blackout), small break loss-of-coolant accidents, and steam generator tube ruptures. In addition, the SPAR 2QA model was updated to add a new event tree for tornado initiator All of these event trees were used in the analysi The default calculation method used in Saphire is the Minimal Cut Set Upper Bound (Min-Cut Upper Bound) approximation. This calculation method approximates the probability of the union of the minimal cut sets for the sequence. In situations when the cut set
S
IR 50-269/00-04 and 50-269/01-08 probabilities are high or complemented events appear in the cut sets, the Min-Cut Upper Bound method may overpredict the importances. The Min/Max Quantification approach available in Saphire uses the exact probability quantification algorithm. The Min/Max run-time is a function of the number of cut sets and the number of passes made. Setting the number of passes equal to the number of cut sets for the sequence will obtain the exact probability. This is not a credible alternative, given the computing limitations of the typical personal computer. The number of passes required for convergence is a function of the number of cut sets for the selected sequence and the value of the basic events in the cut sets. To obtain results within a reasonable run-time, only the Tornado event tree was analyzed. That is, the initiating event frequency for all of the other event trees was set to zero. A number of runs were conducted to determine that, as the number of passes increased, the CCDP decreased. To obtain the results presented here, five passes and a probability cut off of 1 x 10-15 were used. While the CCDP did decrease, so did the CDP, and the delta CCDP remained in the same range as when the Min-Cut Upper Bound approximation was use The basic approach for conducting this analysis consists of the following steps:
1. A tornado event tree was developed for the SPAR 2QA model using information from the IPEEE. Attachment A provides a summary of each sequence in this event tre . Fault trees for each branch point in the event tree were developed either by modifying existing fault trees from the SPAR 2QA and the SPAR 3i models or by developing new fault trees. Attachment B provides the details of this effor . Basic events for tornado-related initiating events, human errors, and equipment failures were developed using information in the IPEEE. Table 4 describes these change . The SPAR 2QA model was used to calculate the change in core damage probability ( CDP) over the 1-year period of the analysis. Tables 1a, 1c, 2a, 2b, 3a, and 3b provide the results of the SPAR model calculations of the analyzed condition. Tables 1b and 1c provide, for comparison, the results of the Min-Max calculations performed in Saphir The discussion below and in the attachments provide the bases for the changes to the base model.
- Unique system and operational considerations The SPAR 2QA model credits the following unique system and operational considerations as documented in individual plant examination for external events (IPEEE) (Ref. 4):
6 Station auxiliary service water (ASW) system. The station ASW pump can be manually aligned to supply lake water for secondary side heat removal. The ASW switchgear is powered directly from Keowee via the CT4 transformer and underground feed. The ASW pump, its switchgear, power cables, and suction piping are all
SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 protected from tornado wind and missile damage. The station ASW pump can also provide cooling water to the HPI pump motor cooler Standby Support Facility (SSF). The SSF consists of a reactor coolant makeup pump for reactor coolant pump (RCP) seal cooling, an ASW pump for steam generator feed (different than the station ASW pump), a dedicated diesel generator, and associated ac and dc electrical distribution and control, all housed in a tornado-proof structur The SSF switchgear can be powered from Keowee hydro from the underground feeder via transformer CT4 or from the SSF diesel generator. The SSF requires manual operation from the SSF structur The spent fuel pool can be used as an alternate suction source for an HPI pum However, this suction path has an insufficient supply to allow high-pressure recirculation (HPR) success prior to cavitation of the HPI pumps during injectio Emergency power to the safety-related 4160 V buses is supplied from the Keowee hydroelectric generators instead of onsite diesel generator The safety-related switchgear and batteries are located in an area of the turbine building that is vulnerable to tornado damag The upper surge tank is located on the sixth floor of the turbine building and is vulnerable to the effects of high winds at this elevatio The BWST is located outside near to the outer wall of the west penetration room and is exposed to full tornado wind load Reactor coolant pump (RCP) seal assemblies. At the time of these conditions, the RCPs at Oconee Unit 1 had seal assemblies manufactured by Westinghouse that consisted of O-rings that were not qualified for high temperatures and pressures. The RCPs at Oconee Units 2 and 3 had high-temperature seal assemblies manufactured by Bingham.
- Development of tornado event and fault trees The SPAR 2QA model does not account for tornado initiators. Therefore, a tornado event tree and associated fault trees were developed from information from the Oconee IPEEE (Ref. 4) and fault trees from SPAR models. The event tree shown in Figure Attachment A describes each sequence in the event tree. The details of the fault tree development are provided in Attachment B. Attachment D provides the fault trees used in the tornado event tre The following is a short description of the fault trees that make up the top events in the tornado event tre Tornado Winds Fail Safety-related 4160 V Switchgear in the Turbine Building (TURBUS). This is a one-event fault tree representing the unavailability of the 4160 V
SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 buses in the turbine building. Modeling this event at the beginning of the event tree simplifies the branch point logic at other points in the event tree. This is a new fault tre Tornado Winds Cause Failure of BWST (BWST). This is a one-event fault tree representing the unavailability of the BWST following a tornado. Modeling this event at the beginning of the event tree simplifies the branch point logic at other points in the event tree. This is a new fault tre No or Insufficient EFW System Flow (EFW-T). This fault tree represents failure of the emergency feedwater system. On success of fault tree TURBUS, both the motor-driven and turbine-driven pumps are available. On failure of TURBUS, only the turbine-driven pump is available due to the reliance of the motor-driven pumps on the 4160-V switchgear in the turbine building. This fault tree is taken from the SPAR 2QA mode PORV and Block Valve and SRVs Fail to Reseat (PRVL-RES-T). This fault tree is taken from the SPAR 2QA mode Station ASW and SSF ASW Systems Fail to Provide Secondary Side Heat Removal (ASW). This fault tree represents failure of the station ASW and the SSF ASW systems to provide secondary side heat removal when the EFW system fail This fault tree is based on the IPEEE, with the SSF ASW portion being based on the SPAR 3i mode RCP Seals Fail During a Tornado (SEALLOCA-T). This fault tree represents failure of the SSF reactor coolant makeup system to provide seal cooling to the RCP seals and subsequent failure of the seals. This fault tree is taken from the SPAR 3i mode No or Insufficient Flow from the HPI System (HPI-L-T). This fault tree represents failure of the HPI system to provide core cooling and injection following a loss of secondary side heat removal or a loss-of-coolant accident (LOCA). This fault tree is taken from the SPAR 2QA mode Long-term Heat Removal Is not Available (HPI-LONG). This fault tree represents the failure to achieve long-term cooling by using high pressure recirculation, given HPI system success. Failure of this system is dominated by failure of 4160-V power from the switchgear in the turbine building. This is required to power the low pressure service water system pumps, which provide cooling to the decay heat removal cooler This is a new fault tree.
- Development of tornado-related basic events The failure probabilities of the following events used in the new fault trees were taken from the IPEEE:
6 Tornado Damage Fails Emergency Buses in Turbine Building (ACP-TO-LP)
SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 6 Piping in East Penetration Room is Damaged Given West Room Damaged (BEF-PIPE-DEX)
6 F4+ Tornado Winds Damage West Penetration Room Structure (BTO-WIND-DEX)
6 Failure of the Upper Surge Tank (Supply for EFW) Due to Tornado (EFW-TNK-FC-UST-T)
6 Borated Water Storage Tank Fails Following Tornado (HPI-TNK-VF-BWST-T)
6 Tornado >F2 Impacts Oconee with Unit at Power (IE-TO)
6 Tornado Damage Fails Emergency Power From Keowee (BKEOWEE)
The bases for each failure probability used in the new fault trees were reviewed by a resource expert in tornado analysis. The failure probabilities of the above basic events from the IPEEE were found to be reasonable. This assessment was based on the following:
6 The IPEEE used the best available data source (National Severe Storms Forecast Center) and methods (NUREG/CR-4461) to estimate the tornado frequencie A detailed missile trajectory and impact analysis using the state-of-the-art simulation code (TORMIS)
6 The Safety Evaluation Report (Ref. 6) of the Oconee IPEEE was reviewed, and there were no findings against the licensee with respect to the approach used to model the tornado event.
- Modifications to basic event probabilities The basic events that were modified to reflect the nature of the event conditions are presented below. The nominal failure probabilities are used to calculate the baseline core damage probability (CDP). The changes below are used to calculate the conditional core damage probability (CCDP).
6 HPI Pump Suction From the Spent Fuel Pool Fails in the Long Term (HPI-MDP-FC-SFP). The failure probability of basic event HPI-MDP-FC-SFP is set to TRUE (probability = 1) to reflect the loss of suction from the spent fuel pool. This change is being made to model the first condition being analyze Operators Fail to Depressurize Steam Generators and Align ASW Pump (SSF-XHE-XA-SSF). The failure probability of basic event SSF-XHE-XA-SSF was set to TRUE (probability = 1.0) to reflect the failure to demonstrate that the alignment of the ASW pump to the steam generators can be performed within the required time of 40 minutes. This change is being made to model the second condition being analyze Definitions and probabilities of select basic events are shown in Table 4.
- Model update The SPAR model for Oconee was updated to account for updated failure probabilities and initiating event frequencies (for non-tornado initiators) from recent operating experienc SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 These updates are independent of the actual event being analyzed. Bases for these updates are described in the footnotes to Table 4.
References NRC Special Inspection Report 50-269/00-04, 50-270/00-04, 50-287/00-04, May 4, 2000 (ADAMS Accession No. ML003711781). Final Significance Determination for a White Finding and Notice of Violation (NRC Inspection Report 50-269/00-11, 50-270/00-11, 50-287/00-11, Oconee Nuclear Station),
November 9, 2000 (ADAMS Accession No. ML0037684390). NRC Inspection Report 50-269/01-08, 50-270/01-08, 50-287/01-08, April 20, 2001 (ADAMS Accession No. ML0111506090). Duke Power Company, Oconee Nuclear Station IPEEE Submittal Report, December 21, 1995. M. B. Sattison, et al., Idaho National Engineering and Environmental Laboratory, Simplified Plant Analysis Risk (SPAR) Model for Oconee 1, 2 & 3, Revision 2QA, January 1998. Oconee Nuclear Station, Units 1, 2 and 3 Re: Review of Individual Plant Examination of External Events (TAC Nos. MA83649, M83650, M83651), U.S. Nuclear Regulatory Commission, March 15, 2000. Memorandum from Ashok C. Thadani to William D. Travers, Closeout of Generic Safety Issue 23: Reactor Coolant Pump Seal Failure, U.S. Nuclear Regulatory Commission, November 8, 1999. R. G. Neve, et al., Cost/Benefit Analysis for Generic Issue 23: Reactor Coolant Pump Seal Failure, NUREG/CR-5167, April 1991. J. P. Poloski, et al., Rates of Initiating Events at U.S. Nuclear Power Plants: 1987-1995, NUREG/CR-5750, February 1999.
10. C. L. Atwood, et al., Evaluation of Loss of Offsite Power Events at Nuclear Power Plants:
1980-1996, NUREG/CR-5496, November 1998.
11. J. C. Byers, et al., Revision of the 1994 ASP HRA Methodology (Draft), INEEL/EXT-99-0041, January 1999.
12. Comments on Preliminary Accident Sequence Precursor Analysis of April 2000 Operational Condition, Oconee Nuclear Station, Units 1, 2, and 3, Docket Nos. 50-269,
-270, and -287, July 23, 2002 (ADAMS Accession No. ML022110514).
SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 Table 1a. Conditional probabilities associated with the highest probability sequences (Unit 1)1 Conditional core Core damage Event tree Sequence damage probability probability Importance name n (CCDP) (CDP) (CCDP - CDP)3 TO 29 8.2E-006 4.6E-006 TO 17 8.4E-007 8.5E-008 TO 23 3.6E-007 3.4E-007 TO 10 6.5E-009 6.3E-010
Total (all sequences) 4.2E-005 3.7E-005 5E-006 Notes:
1. (File name: Unit 1 - GEM 269-00-S01 7-27-2001 124529.WPD).
2. Total CCDP and CDP includes all sequences (including those not shown in this table).
3. Importance is calculated using the total CCDP and total CDP from all sequences. Sequence level importance measures are not additive.
Table 1b. Conditional probabilities associated with the highest probability sequences using Min-Max (Unit 1)
Conditional core Core damage Event tree Sequence damage probability probability Importance name n (CCDP) (CDP) (CCDP - CDP)2 TO 29 7.1E-006 3.5E-006 TO 17 7.4E-007 7.4E-008 TO 23 3.5E-007 3.4E-007 TO 10 5.4E-009 5.4E-010
Total (all sequences) 9.8E-006 5.5E-006 ~4.3E-006 Notes:
1. Total CCDP and CDP includes all sequences (including those not shown in this table).
2. Importance is calculated using the total CCDP and total CDP from all sequences. Sequence level importance measures are not additiv IR 50-269/00-04 and 50-269/01-08 Table 1c. Conditional probabilities associated with the highest probability sequences (Units 2 and 3)1 Conditional core Core damage Event tree Sequence damage probability probability Importance name n (CCDP) (CDP) (CCDP - CDP)3 TO 29 8.2E-006 4.6E-006 TO 17 1.9E-007 1.9E-008 TO 23 3.6E-007 3.5E-007 TO 10 6.5E-009 6.4E-010
Total (all sequences) 2.9E-005 2.5E-005 4E-006 Notes:
1. (File name: Units 2 and 3 - GEM 269-00-S01 UNIT 2-3 7-27-2001 125422.WPD).
2. Total CCDP and CDP includes all sequences (including those not shown in this table).
3. Importance is calculated using the total CCDP and total CDP from all sequences. Sequence level importance measures are not additive.
Table 1d. Conditional probabilities associated with the highest probability sequences using Min-Max (Units 2 and 3)
Conditional core Core damage Event tree Sequence damage probability probability Importance name n (CCDP) (CDP) (CCDP - CDP)2 TO 29 7.2E-006 3.9E-006 TO 17 1.6E-007 1.7E-008 TO 23 3.5E-007 3.4E-007 TO 10 5.5E-009 5.5E-010
Total (all sequences) 9.4E-006 5.9E-006 ~3.5E-006 Notes:
1. Total CCDP and CDP includes all sequences (including those not shown in this table).
2. Importance is calculated using the total CCDP and total CDP from all sequences. Sequence level importance measures are not additiv IR 50-269/00-04 and 50-269/01-08 Table 2a. Event tree sequence logic for dominant sequences Logic Event tree name Sequence n (/ denotes success; see Table 2b for fault tree names)
TO 29 TURBUS, EFW-T, /PRVL-RES-T, ASW TO 17 /TURBUS, BWST, /EFW-T, SEALLOCA-T, /HPI-L-T, HPI-LONG Table 2b. Definitions of fault trees listed in Table 2a ASW STATION AUXILIARY SERVICE WATER (ASW) PUMP AND SSF ASW PUMP FAIL TO PROVIDE SECONDARY SIDE HEAT REMOVAL BWST TORNADO WINDS FAILS BORATED WATER STORAGE TANK EFW-T NO OR INSUFFICIENT EMERGENCY FEEDWATER SYSTEM FLOW HPI-L-T NO OR INSUFFICIENT HIGH-PRESSURE INJECTION (SHORT-TERM)
HPI-LONG LONG-TERM HEAT REMOVAL NOT AVAILABLE PRVL-RES-T PRESSURIZER POWER0OPERATED RELIEF VALVE AND BLOCK VALVE AND SAFETY RELIEF VALVES FAIL TO RESEAT SEALLOCA-T REACTOR COOLANT PUMP SEALS FAIL FROM LOSS OF INJECTION/COOLING TURBUS TORNADO WINDS FAIL 4160V SWITCHGEAR IN TURBINE BUILDING
IR 50-269/00-04 and 50-269/01-08 Table 3a. Conditional cut sets for Unit 1 CCDP % contribution Minimal cut sets1 Event Tree: Tornado (TO), Sequence 29 3.0E-006 3 EFW-TNK-FC-UST-T ACP-TO-LP SSF-XHE-XA-SSF-T TO-29-SCF1 2.0E-006 2 EFW-TNK-FC-UST-T ACP-TO-LP BTO-WIND-DEX TO-29-SCF1 1.2E-006 1 ACP-TO-LP BTO-WIND-DEX BEF-PIPE-DEX TO-29-SCF1 9.6E-007 1 EFW-TNK-FC-UST-T ACP-TO-LP SSF-MDP-TM-ASW TO-29-SCF1 8.2E-006 Total2 Event Tree: Tornado (TO), Sequence 17 4.6E-007 5 HPI-TNK-VF-BWST-T SSF-XHE-XA-SSF-T
TO-17-SCF 3.2E-007 3 HPI-TNK-VF-BWST-T BTO-WIND-DEX
TO-17-SCF
8.4E-7 Total See Table 4 for definitions and probabilities for the basic events. TO-29-SCF and TO-17-SCF are sequence correction factorssee Attachment A for details and Table A.1 for sequence correction factor values. Total CCDP includes all cut sets (including those not shown in this table).
IR 50-269/00-04 and 50-269/01-08 Table 3b. Conditional cut sets for Units 2 and 3 CCDP % contribution Minimal cut sets1 Event Tree: Tornado (TO), Sequence 29 3.0E-006 3 EFW-TNK-FC-UST-T ACP-TO-LP SSF-XHE-XA-SSF-T TO-29-SCF1 2.0E-006 2 EFW-TNK-FC-UST-T ACP-TO-LP BTO-WIND-DEX TO-29-SCF1 1.2E-006 1 ACP-TO-LP BTO-WIND-DEX BEF-PIPE-DEX TO-29-SCF1 9.6E-007 1 EFW-TNK-FC-UST-T ACP-TO-LP SSF-MDP-TM-ASW TO-29-SCF1 8.2E-006 Total2 Event Tree: Tornado (TO), Sequence 17 1.1E-007 5 HPI-TNK-VF-BWST-T SSF-XHE-XA-SSF-T RCS-MDP-LK-SEALS-T TO-17-SCF1 7.0E-008 3 HPI-TNK-VF-BWST-T BTO-WIND-DEX RCS-MDP-LK-SEALS-T TO-17-SCF1 1.9E-007 Total2 1. See Table 4 for definitions and probabilities for the basic events. TO-29-SCF and TO-17-SCF are sequence correction factorssee Attachment A for details and Table A.1 for sequence correction factor values.
2. Total CCDP includes all cut sets (including those not shown in this table).
IR 50-269/00-04 and 50-269/01-08 Table 4. Definitions and probabilities for modified or dominant basic events Event name Description Probability Modified ACP-TO-LP TORNADO DAMAGE FAILS EMERGENCY BUSES IN 3.8E-001 YES1 TURBINE BUILDING ASW-XHE-XA-ASW OPERATORS FAIL TO DEPRESSURIZE STEAM TRUE YES2 GENERATORS AND ALIGN STATION AUXILIARY SERVICE WATER (ASW) PUMP BEF-PIPE-DEX PIPING IN EAST PENETRATION ROOM IS DAMAGED 3.0E-001 YES1 GIVEN WEST ROOM DAMAGED BTO-WIND-DEX F4+ TORNADO WINDS DAMAGE WEST 1.7E-001 YES1 PENETRATION ROOM STRUCTURE EFW-TNK-FC-UST-T FAILURE OF THE UPPER SURGE TANK (SUPPLY FOR 5.0E-001 YES1 EFW) DUE TO TORNADO HPI-MDP-FC-SFP HIGH-PRESSURE INJECTION SYSTEM FAILS IN THE TRUE YES2 LONG TERM WHEN ALIGNED TO THE SPENT FUEL POOL HPI-TNK-VF-BWST-T BORATED WATER STORAGE TANK FAILS 1.7E-001 YES1 FOLLOWING TORNADO IE-LOOP LOSS OF OFFSITE POWER INITIATING EVENT 5.7E-006/hr YES3 IE-SGTR STEAM GENERATOR TUBE RUPTURE INITIATING 8.0E-007/hr YES4 EVENT IE-SLOCA SMALL LOSS OF COOLANT ACCIDENT INITIATING 3.4E-007/hr YES4 EVENT IE-TO TORNADO >F2 IMPACTS OCONEE WITH UNIT AT 7.8E-009/hr YES5 POWER---UNIT 1 IE-TO TORNADO >F2 IMPACTS OCONEE WITH UNIT AT 7.9E-009/hr YES5 POWER---UNITS 2 & 3 IE-TRAN TRANSIENT INITIATING EVENT 1.6E-004/hr YES4 RCS-MDP-LK-SEALS-T REACTOR COOLANT PUMP SEALS FAIL WITHOUT TRUE YES1 COOLING AND INJECTIONUNIT 1 RCS-MDP-LK-SEALS-T REACTOR COOLANT PUMP SEALS FAIL WITHOUT 2.2E-001 YES1 COOLING AND INJECTIONUNITS 2 AND 3 SSF-MDP-TM-ASW SSF ASW PUMP UNAVAILABLE DUE TO T&M 8.3E-002 NO SSF-XHE-XA-SSF-T OPERATOR FAILS TO INITIATE STANDBY 2.5E-001 YES1 SHUTDOWN FACILITY FOLLOWING A TORNADO Notes:
1. Model update to account for the new Tornado event tree. See Attachment B for details.
2. Basic event changed to reflect the event being analyzed. See the Modeling Assumptions section in the main report.
3. Model update using data from NUREG/CR-5750, Table H3 (Ref. 9) and NUREG/CR-5496 Table B4 (Ref. 10).
4. Model update using data from NUREG/CR-5750, Table 3-1 (Ref. 9).
5. Model update to account for the new Tornado event tree. See Attachment A for initiating event frequency calculation T o rn ad o > F2 T o rn ad o W i n d s do no t T o rn ad o W i n ds do Em er ge nc y P zr Safe t y A SW Pu m p O r RC P Seal s d o Su ffi ci en t L o n g -term Im p act s O co n ee Fa il 4 1 6 0 Sw i tch g ear n ot Cau s e Fai l ur e Feed w at e r i s V a lv e Re se at s SS F A S W n o t Fail D u ri n g Fl o w fro m th e H e at R emo v al U n i ts 1 , 2, & 3 i n T u rb in e Bu il di n g o f B W ST Av a ilab l e A ft e r O p en i n g Pr ov id es SS H R T o rn ad o H PCI Sy ste m A v ai lab l e IE - TO T U RB US BW S T EF W -T P RV L -R ES -T A SW SE A L L O CA -T H PI-L -T H P I-L O N G # E N D -ST A T E 1 OK 2 OK 3 CD 4 CD 5 OK 6 OK SL - SSF- SU CC E SS 7 CD 8 CD 9 OK 10 CD 11 CD 12 OK 13 CD 14 CD 15 15 OK 16 OK 17 CD 18 CD 19 OK 20 OK SL - SSF- SU CC E SS 21 CD 22 CD 23 CD 24 CD 25 OK 26 CD 27 OK SL - SSF- SU CC E SS 28 CD 29 CD 30 CD IR 50-269/00-04 and 50-269/01-08 T O R N A D O - T o rn a d o > F 2 Im p a c ts O c o n e e U ni t s 1 , 2, & 3 20 0 1 /0 7 /2 2 P a ge 6 Figure 1. Tornado event tree
IR 50-269/00-04 and 50-269/01-08 Attachment A - Tornado Event Tree Logic Description This event tree was adapted from the Oconee IPEEE (Ref. 4, Figure 5-1). A description of each core damage sequence is provided below. Discussions about the calculation of the tornado initiating event frequency and use of sequence correction factors follows.
Sequence summaries Sequence 1 - Power is available to the three 4160-V ac safety-related buses providing power to the high-pressure injection (HPI) pumps and to the low-pressure service water (LPSW) system that supplies motor cooling to the HPI pumps. The borated water storage tank (BWST) is available but not required in this sequence. EFW provides secondary side cooling, preventing the pressurizer safety valves (PSVs) from lifting. Because emergency feedwater (EFW) functions, auxiliary service water (ASW) is not demanded. Given that an reactor coolant pump (RCP) seal loss-of-coolant accident (LOCA) does not occur, the reactor coolant system (RCS) remains intact and the sequence leads to an OK end state. The probability that an RCP seal LOCA does not occur is primarily dependent upon (1) no tornado-induced damage to the West Penetration Room (no failure of the RCP seal injection and component cooling lines in this room) and (2) maintaining RCP seal cooling from (a) the SSF reactor coolant makeup (RCM) pump or (b) the HPI system. HPI is expected to only have a momentary interruption in operation while power supplies are automatically switched following the loss of offsite power (LOOP). Sequence 2 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling to the HPI pumps. The BWST is available as the supply to the HPI system, allowing full flow capability from the HPI pumps. EFW provides secondary side cooling, preventing the PSVs from lifting. Because EFW functions, ASW is not demanded. An RCP seal LOCA occurs but HPI and piggy-back recirculation function, leading to an OK end state. The probability that an RCP seal LOCA occurs is primarily dependent upon (1) tornado-induced damage to the West Penetration Room (failure of the RCP seal injection and component cooling lines in this room) and (2) failure of RCP seal cooling from (a) the SSF RCM pump and (b) the HPI system. HPI is expected to only have a momentary interruption in operation while power supplies are automatically switched following the LOOP. Sequence 3 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. The BWST is available as the supply to the HPI system, allowing full flow capability from the HPI pumps. EFW provides secondary side cooling, preventing the PSVs from lifting. Because EFW functions, ASW is not demanded. Following an RCP seal LOCA, HPI functions, but piggy-back cooling fails because of long-term HPI suction supply failure or non-HPI system failures, leading to a core damage state. The probability that an RCP seal LOCA occurs is primarily dependent upon (1) tornado-induced damage to the West Penetration Room (failure of the RCP seal injection and component cooling lines in this room) and (2) failure of RCP seal cooling from (a) the SSF RCM pump and (b)
SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 the HPI system. HPI is expected to only have a momentary interruption in operation while power supplies are automatically switched following the LOOP.
4. Sequence 4 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. The BWST is available as the supply to the HPI system, allowing full flow capability from the HPI pumps. EFW provides secondary side cooling, preventing the PSVs from lifting. Because EFW functions, ASW is not demanded. Following an RCP seal LOCA, piggy-back cooling fails because HPI fails, leading to a core damage state. The probability that an RCP seal LOCA occurs is primarily dependent upon (1) tornado-induced damage to the West Penetration Room (failure of the RCP seal injection and component cooling lines in this room) and (2) failure of RCP seal cooling from (a) the SSF RCM pump and (b) the HPI system. HPI is expected to only have a momentary interruption in operation while power supplies are automatically switched following the LOOP.
5. Sequence 5 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. The BWST is available as the supply to the HPI system, allowing full flow capability from the HPI pumps. EFW fails to provide secondary side cooling and a PSV lifts and then recloses. The ASW system provides secondary side cooling. Given that an RCP seal LOCA does not occur, the RCS remains intact and the sequence leads to an OK end state. The probability that an RCP seal LOCA does not occur, is primarily dependent upon (1) no tornado-induced damage to the West Penetration Room (no failure of the RCP seal injection and component cooling lines in this room) and (2)
maintaining RCP seal cooling from (a) the SSF RCM pump or (b) the HPI system. HPI is expected to only have a momentary interruption in operation while power supplies are automatically switched following the LOOP.
6. Sequence 6 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. The BWST is available as the supply to the HPI system, allowing full flow capability from the HPI pumps. EFW fails to provide secondary side cooling and a PSV lifts and then recloses. The ASW system provides secondary side cooling. An RCP seal LOCA occurs but HPI and piggy-back recirculation function, leading to an OK end stat The probability that an RCP seal LOCA occurs is primarily dependent upon (1) tornado-induced damage to the West Penetration Room (failure of the RCP seal injection and component cooling lines in this room) and (2) failure of RCP seal cooling from (a) the SSF RCM pump and (b) the HPI system. HPI is expected to only have a momentary interruption in operation while power supplies are automatically switched following the LOOP.
7. Sequence 7 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. The BWST is available as the supply to the HPI system, allowing full flow capability from the HPI pumps. EFW fails to provide secondary side cooling and a PSV lifts and then recloses. The ASW system provides secondary side cooling. Following an
SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 RCP seal LOCA, HPI functions, but piggy-back cooling fails because of long-term HPI suction supply failure or non-HPI system failures, leading to a core damage state. The probability that an RCP seal LOCA occurs is primarily dependent upon (1) tornado-induced damage to the West Penetration Room (failure of the RCP seal injection and component cooling lines in this room) and (2) failure of RCP seal cooling from (a) the SSF RCM pump and (b) the HPI system. HPI is expected to only have a momentary interruption in operation while power supplies are automatically switched following the LOOP. Sequence 8 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. The BWST is available as the supply to the HPI system, allowing full flow capability from the HPI pumps. EFW fails to provide secondary side cooling and a PSV lifts and then recloses. The ASW system provides secondary side cooling. Following an RCP seal LOCA, piggy-back cooling fails because HPI fails, leading to a core damage state. The probability that an RCP seal LOCA occurs is primarily dependent upon (1)
tornado-induced damage to the West Penetration Room (failure of the RCP seal injection and component cooling lines in this room) and (2) failure of RCP seal cooling from (a) the SSF RCM pump and (b) the HPI system. HPI is expected to only have a momentary interruption in operation while power supplies are automatically switched following the LOOP. Sequence 9 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. The BWST is available as the supply to the HPI system, allowing full flow capability from the HPI pumps. EFW fails to provide secondary side cooling and a PSV lifts and then recloses. ASW fails, resulting in a loss of all secondary side cooling. The occurrence of an RCP seal LOCA is not relevant to the sequence end state because no secondary side cooling is available. With no secondary cooling, HPI and HPR are required to function, making the occurrence of an RCP seal LOCA irrelevant. Long-term core cooling is provided by HPI and piggy-back recirculation, leading to an OK end state.
10. Sequence 10 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. The BWST is available as the supply to the HPI system, allowing full flow capability from the HPI pumps. EFW fails to provide secondary side cooling and a PSV lifts and then recloses. ASW fails, resulting in a loss of all secondary side cooling. The occurrence of an RCP seal LOCA is not relevant to the sequence end state because no secondary side cooling is available. With no secondary cooling, HPI and HPR are required to function, making the occurrence of an RCP seal LOCA irrelevant. Piggy-back cooling fails because of long-term HPI suction supply failure or non-HPI system failures, leading to a core damage state.
11. Sequence 11 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. The BWST is available as the supply to the HPI system, allowing full flow capability from the HPI pumps. EFW fails to provide secondary side cooling and a PSV
SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 lifts and then recloses. ASW fails, resulting in a loss of all secondary side cooling. The occurrence of an RCP seal LOCA is not relevant to the sequence end state because no secondary side cooling is available. With no secondary cooling, HPI and HPR are required to function, making the occurrence of an RCP seal LOCA irrelevant. Piggy-back cooling fails because HPI fails, leading to a core damage state.
12. Sequence 12 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. The BWST is available as the supply to the HPI system, allowing full flow capability from the HPI pumps. EFW fails to provide secondary side cooling and a PSV lifts and then fails to reclose. With a failed-open PSV, HPI and piggy-back recirculation are required for long-term success. Success of ASW does not matter because it will not affect HPI performance with the BWST available; and a seal LOCA will not be significant, given the failed-open PSV. Long-term core cooling is provided by HPI and piggy-back recirculation, leading to an OK end state.
13. Sequence 13 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. The BWST is available as the supply to the HPI system, allowing full flow capability from the HPI pumps. EFW fails to provide secondary side cooling and a PSV lifts and then fails to reclose. With a failed-open PSV, HPI and piggy-back recirculation are required for long-term success. Success of ASW does not matter because it will not affect HPI performance with the BWST available; and a seal LOCA will not be significant, given the failed-open PSV. Piggy-back cooling fails because of long-term HPI suction supply failure or non-HPI system failures, leading to a core damage state.
14. Sequence 14 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. The BWST is available as the supply to the HPI system, allowing full flow capability from the HPI pumps. EFW fails to provide secondary side cooling and a PSV lifts and then fails to reclose. With a failed-open PSV, HPI and piggy-back recirculation are required for long-term success. Success of ASW does not matter because it will not affect HPI performance with the BWST available; and a seal LOCA will not be significant, given the failed-open PSV. Piggy-back cooling fails because HPI fails, leading to a core damage state.
15. Sequence 15 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. Failure of the BWST requires alignment of the HPI system, if required, to the spent fuel pool. Alignment of the HPI pumps to the spent fuel pool limits the flow rate from the HPI pumps to 180 gpm. The flow limit prevents potential cavitation of the pumps resulting from spent fuel pool suction path limitations. EFW provides secondary side cooling, preventing the PSVs from lifting. Because EFW functions, ASW is not demande Given that an RCP seal LOCA does not occur, the RCS remains intact and the sequence leads to an OK end state. The probability that an RCP seal LOCA does not occur is primarily dependent upon (1) no tornado-induced damage to the West Penetration Room (no failure of the RCP seal injection and component cooling lines in this room) and (2)
SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 maintaining RCP seal cooling from (a) the SSF RCM pump or (b) the HPI system realigned to the spent fuel pool supply.
16. Sequence 16 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. Failure of the BWST requires alignment of the HPI system to the spent fuel poo Alignment of the HPI pumps to the spent fuel pool limits the flow rate from the HPI pumps to 180 gpm. The flow limit prevents potential cavitation of the pumps resulting from spent fuel pool suction path limitations. EFW provides secondary side cooling, preventing the PSVs from lifting and allowing the RCS do be depressurized sufficiently to allow the 180 gpm from the HPI system to provide adequate makeup to the RCS. Because EFW functions, ASW is not demanded. An RCP seal LOCA occurs but HPI and piggy-back recirculation function, leading to an OK end state. The RCP seal LOCA probability is primarily dependent upon (1) tornado-induced damage to the West Penetration Room (failure of the RCP seal injection and component cooling lines in this room) and (2) failure of RCP seal cooling from (a) the SSF RCM pump and (b) the HPI system realigned to the spent fuel pool supply.
17. Sequence 17 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. Failure of the BWST requires alignment of the HPI system to the spent fuel poo Alignment of the HPI pumps to the spent fuel pool limits the flow rate from the HPI pumps to 180 gpm. The flow limit prevents potential cavitation of the pumps resulting from spent fuel pool suction path limitations. EFW provides secondary side cooling, preventing the PSVs from lifting and allowing the RCS do be depressurized sufficiently to allow the 180 gpm from the HPI system to provide adequate makeup to the RCS following the seal LOCA. Because EFW functions, ASW is not demanded. An RCP seal LOCA occurs, and long-term HPI suction supply failure or non-HPI system failures lead to a failure of piggy-back recirculation and a core damage end state. The RCP seal LOCA probability is primarily dependent upon (1) tornado-induced damage to the West Penetration Room (failure of the RCP seal injection and component cooling lines in this room) and (2) failure of RCP seal cooling from (a) the SSF RCM pump and (b) the HPI system realigned to the spent fuel pool supply.
18. Sequence 18 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. Failure of the BWST requires alignment of the HPI system to the spent fuel poo Alignment of the HPI pumps to the spent fuel pool limits the flow rate from the HPI pumps to 180 gpm. The flow limit prevents potential cavitation of the pumps resulting from spent fuel pool suction path limitations. EFW provides secondary side cooling, preventing the PSVs from lifting and allowing the RCS do be depressurized sufficiently to allow the 180 gpm from the HPI system to provide adequate makeup to the RCS following the seal LOCA. Because EFW functions, ASW is not demanded. An RCP seal LOCA occurs, and HPI system failures lead to a core damage end state. The RCP seal LOCA probability is primarily dependent upon (1) tornado-induced damage to the West Penetration Room (failure of the RCP seal injection and component cooling lines in this room) and (2) failure
SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 of RCP seal cooling from (a) the SSF RCM pump and (b) the HPI system realigned to the spent fuel pool supply.
19. Sequence 19 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. Failure of the BWST requires alignment of the HPI system, if required, to the spent fuel pool. Alignment of the HPI pumps to the spent fuel pool limits the flow rate from the HPI pumps to 180 gpm. The flow limit prevents potential cavitation of the pumps resulting from spent fuel pool suction path limitations. EFW fails to provide secondary side cooling and a PSV lifts and then recloses. The ASW system provides secondary side cooling. Given that an RCP seal LOCA does not occur, the RCS remains intact and the sequence leads to an OK end state. The probability that an RCP seal LOCA does not occur is primarily dependent upon (1) no tornado-induced damage to the West Penetration Room (no failure of the RCP seal injection and component cooling lines in this room) and (2) maintaining RCP seal cooling from (a) the SSF RCM pump or (b) the HPI system realigned to the spent fuel pool supply.
20. Sequence 20 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. Failure of the BWST requires alignment of the HPI system to the spent fuel poo Alignment of the HPI pumps to the spent fuel pool limits the flow rate from the HPI pumps to 180 gpm. The flow limit prevents potential cavitation of the pumps resulting from spent fuel pool suction path limitations. EFW fails to provide secondary side cooling and a PSV lifts and then recloses. The ASW system provides secondary side cooling, allowing the RCS do be depressurized sufficiently to allow the 180 gpm from the HPI system to provide adequate makeup to the RCS following the seal LOCA. An RCP seal LOCA occurs but HPI and piggy-back recirculation function, leading to an OK end state. The RCP seal LOCA probability is primarily dependent upon (1) tornado-induced damage to the West Penetration Room (failure of the RCP seal injection and component cooling lines in this room) and (2) failure of RCP seal cooling from (a) the SSF RCM pump and (b) the HPI system realigned to the spent fuel pool supply.
21. Sequence 21 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. Failure of the BWST requires alignment of the HPI system to the spent fuel poo Alignment of the HPI pumps to the spent fuel pool limits the flow rate from the HPI pumps to 180 gpm. The flow limit prevents potential cavitation of the pumps resulting from spent fuel pool suction path limitations. EFW fails to provide secondary side cooling and a PSV lifts and then recloses. The ASW system provides secondary side cooling, allowing the RCS do be depressurized sufficiently to allow the 180 gpm from the HPI system to provide adequate makeup to the RCS following the seal LOCA. An RCP seal LOCA occurs, and long-term HPI suction supply failure or non-HPI system failures lead to a failure of piggy-back recirculation and a core damage end state. The RCP seal LOCA probability is primarily dependent upon (1) tornado-induced damage to the West Penetration Room (failure of the RCP seal injection and component cooling lines in this room) and (2) failure of RCP seal cooling from (a) the SSF RCM pump and (b) the HPI system realigned to the spent fuel pool suppl SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 22. Sequence 22 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. Failure of the BWST requires alignment of the HPI system to the spent fuel poo Alignment of the HPI pumps to the spent fuel pool limits the flow rate from the HPI pumps to 180 gpm. The flow limit prevents potential cavitation of the pumps resulting from spent fuel pool suction path limitations. EFW fails to provide secondary side cooling and a PSV lifts and then recloses. The ASW system provides secondary side cooling, allowing the RCS do be depressurized sufficiently to allow the 180 gpm from the HPI system to provide adequate makeup to the RCS following the seal LOCA. An RCP seal LOCA occurs, and HPI system failures lead to a core damage end state. The RCP seal LOCA probability is primarily dependent upon (1) tornado-induced damage to the West Penetration Room (failure of the RCP seal injection and component cooling lines in this room) and (2) failure of RCP seal cooling from (a) the SSF RCM pump and (b) the HPI system realigned to the spent fuel pool supply.
23. Sequence 23 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. Failure of the BWST requires alignment of the HPI system to the spent fuel poo Alignment of the HPI pumps to the spent fuel pool limits the flow rate from the HPI pumps to 180 gpm. The flow limit prevents potential cavitation of the pumps resulting from spent fuel pool suction path limitations. EFW fails to provide secondary side cooling and a PSV lifts and then recloses. Failure of ASW results in a loss of all secondary side cooling and prevents cool down and depressurization of the RCS. HPI flow is insufficient to provide makeup given a seal LOCA and no secondary-side cooling (i.e., elevated RCS pressure)
and leads to a core damage end state.
24. Sequence 24 - Power is available to the three 4160-V ac safety-related buses providing power to the HPI pumps and to the LPSW system that supplies motor cooling for the HPI pumps. Failure of the BWST requires alignment of the HPI system to the spent fuel poo Alignment of the HPI pumps to the spent fuel pool limits the flow rate from the HPI pumps to 180 gpm. The flow limit prevents potential cavitation of the pumps resulting from spent fuel pool suction path limitations. EFW fails to provide secondary side cooling and a PSV lifts and then fails to reclose. The 180 gpm available from the HPI system is insufficient to provide makeup given a lifted PSV and leads to a core damage end state.
25. Sequence 25 - Power is unavailable to the three 4160-V ac safety-related buses, which renders the HPI, DHR coolers, and the motor-driven EFW pumps inoperable from loss of LPSW. The turbine-driven EFW pump provides secondary side cooling, preventing the PSVs from lifting. Because EFW functions, ASW is not demanded. Given that an RCP seal LOCA does not occur, the RCS remains intact and the sequence leads to an OK end state. The probability that an RCP seal LOCA does not occur is primarily dependent upon (1) no tornado-induced damage to the West Penetration Room (no failure of the RCP seal injection and component cooling lines in this room) and (2) maintaining RCP seal cooling from (a) the SSF RCM pump or (b) the HPI system. Restoration of seal cooling from the HPI system requires repowering the HPI pump from the station ASW bus and realigning the HPI motor cooling to the station ASW syste SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 26. Sequence 26 - Power is unavailable to the three 4160-V ac safety-related buses, which renders the DHR coolers, the motor-driven EFW pumps, and HPI pumps inoperable from the loss of the LPSW. The turbine-driven EFW pump provides secondary side cooling, preventing the PSVs from lifting. Because EFW functions, ASW is not demande Following an RCP seal LOCA, piggy-back recirculation fails because the DHR coolers are inoperable. This leads to a core damage end state. HPI may function following the RCP seal LOCA if the HPI motor is repowered from the SSF ASW bus and HPI motor coolers are realigned to the ASW supply. However, this will only delay core damage because piggy-back recirculation is required. The probability of an RCP seal LOCA is primarily dependent upon (1) tornado-induced damage to the West Penetration Room (failure of the RCP seal injection and component cooling lines in this room) and (2) failure of RCP seal cooling from (a) the SSF RCM pump and (b) the HPI system. Restoration of seal cooling from the HPI system requires repowering the HPI pump from the station ASW bus and realigning the HPI motor cooling to the station ASW system.
27. Sequence 27 - Power is unavailable to the three 4160-V ac safety-related buses, which renders the DHR coolers and the motor-driven EFW pumps inoperable from loss of LPSW. The turbine-driven EFW pump fails to provide secondary side cooling and a PSV lifts and recloses. The ASW system provides secondary side cooling. Given that an RCP seal LOCA does not occur the RCS remains intact and the sequence leads to an OK end state. The probability RCP seal LOCA does not occur is primarily dependent upon (1) no tornado-induced damage to the West Penetration Room (no failure of the RCP seal injection and component cooling lines in this room) and (2) failure of RCP seal cooling from (a) the SSF RCM pump and (b) the HPI system. Restoration of seal cooling from the HPI system requires repowering the HPI pump from the station ASW bus and realigning the HPI motor cooling to the station ASW system.
28. Sequence 28 - Power is unavailable to the three 4160-V ac safety-related buses, which renders the DHR coolers and the motor-driven EFW pumps inoperable from loss of LPSW. The turbine-driven EFW pump fails to provide secondary side cooling, and a PSV lifts and recloses. The ASW system provides secondary side cooling. An RCP seal LOCA occurs. Because DHR coolers are inoperable, piggy-back operation is unavailable and this sequence leads to a core damage end state. The probability of an RCP seal LOCA is primarily dependent upon (1) tornado-induced damage to the West Penetration Room (failure of the RCP seal injection and component cooling lines in this room) and (2) failure of RCP seal cooling from (a) the SSF RCM pump and (b) the HPI system. Restoration of seal cooling from the HPI system requires repowering the HPI pump from the station ASW bus and realigning the HPI motor cooling to the station ASW system.
29. Sequence 29 - Power is unavailable to the three 4160-V ac safety-related buses, which renders the DHR coolers and the motor-driven EFW pumps inoperable from loss of LPSW. The turbine-driven EFW pump fails to provide secondary side cooling and a PSV lifts and recloses. The ASW system fails to provide secondary side cooling; therefore, piggy-back cooling is required. Because DHR coolers are inoperable, piggy-back operation is unavailable and this sequence leads to a core damage end stat SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 3 Sequence 30 - Power is unavailable to the three 4160-V ac safety-related buses, which renders the DHR coolers and the motor-driven EFW pumps inoperable from loss of LPSW. The turbine-driven EFW pump fails to provide secondary side cooling and a PSV lifts and fails to reclose. Because DHR coolers are inoperable, piggy-back operation is unavailable and this sequence leads to a core damage end state.
Initiating event frequency Initiating event frequency for tornadoes of intensity F3, F4, and F5. This is the IE-TO top event in the Tornado event tree. IE-TO is the sum of the frequencies for tornadoes of intensity F3, F4, and F5. The borated water storage tank would become unavailable at these tornado intensities. IE-TO is calculated as follows:
- Frequencies obtained from the IPEEE (Ref. 4, Table 5-2).
- Summed frequencies for F3, F4, and F5 intensity tornadoes:
IE-TO = 4.12E-05/yr + 3.59E-05/yr + 1.71E-06/yr = 7.88E-05/yr / 8760 hr/yr =
9.00E-09/h * This was then multiplied by the plant criticality factor to account for time when the plant was shut dow * The criticality factor for Unit 1 is 0.87; therefore, IE-TO = 9.00E-09/hr*0.87 =
7.83E-09/h * The criticality factor for Unit 2 is 0.88 and for Unit 3 is 0.84. Because of similarities with reactor coolant pump seal LOCA modeling, only one model was created for Units 2 and 3. Since the two factors are fairly close, the criticality factor for Unit 2 was conservatively used for both. IE-TO = 9.00E-09/hr*0.88 = 7.92E-09/hr for both Units 2 and 3.
Sequence correction factors The SAPHIRE integrated PRA software tool that is used to analyze the SPAR models use a default value of 1.0 for the success path on every event tree branch point. In those cases where the failure path (i.e., the solution to the underlying fault tree) is relatively large (e.g.,
>0.01), using a default value of 1.0 for the success can overestimate sequence probabilities that involve certain success paths. To more accurately model the success paths for those branch points with relatively large failure probabilities, sequence correction factors are applied.
The sequence correction factors are derived by multiplying together the compliment of each associated failure path for the sequence. The sequence corrections factors are shown in Table SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 Table A.1. Sequence correction factors for the tornado event tree core damage sequence Sequence event Branch point Branch point failure Branch point Sequence name success paths probability success probabilities correction factor1 3 /TURBUS 3.8E-01 6.2E-01 1.5E-01
/BWST 1.7E-01 8.3E-01 TO-03-SCF /EFW-T 5.4E-01 4.6E-01
/HPI-L-T 3.5E-01 6.5E-01 4 /TURBUS 3.8E-01 6.2E-01 2.4E-01
/BWST 1.7E-01 8.3E-01 TO-04-SCF /EFW-T 5.4E-001 4.6E-01 7 (Base Case) /TURBUS 3.8E-01 6.2E-01 2.2E-01
/BWST 1.7E-01 8.3E-01 TO-07-SCF /PRVL-RES-T 1.0E-01 9.0E-01
/ASW 2.8E-01 7.2E-01
/HPI-L-T 3.5E-01 6.5E-01 7 (Change Case) /TURBUS 3.8E-01 6.2E-01 1.6E-01
/BWST 1.7E-01 8.3E-01 TO-07-SCF /PRVL-RES-T 1.0E-01 9.0-E-01
/ASW 4.7E-01 5.3E-01
/HPI-L-T 3.5E-01 6.5E-01 8 (Base Case) /TURBUS 3.8E-01 6.2E-01 3.3E-001
/BWST 1.7E-01 8.3E-01 TO-08-SCF /PRVL-RES-T 1.0E-01 9.0E-01
/ASW 2.8E-01 7.2E-01 8 (Change Case) /TURBUS 3.8E-01 6.2E-01 2.4E-01
/BWST 1.7E-01 8.3E-01 TO-08-SCF /PRVL-RES-T 1.0E-01 9.0E-01
/ASW 4.7E-01 5.3E-01 10 /TURBUS 3.8E-01 6.2E-01 3.0E-01
/BWST 1.7E-01 8.3E-01 TO-10-SCF /PRVL-RES-T 1.0E-01 9.0E-01
/HPI-L-T 3.5E-01 6.5E-01 11 /TURBUS 3.8E-01 6.2E-01 4.6E-01
/BWST 1.7E-01 8.3E-01 TO-11-SCF /PRVL-RES-T 1.0E-01 9.0E-01 13 /TURBUS 3.8E-01 6.2E-01 3.3E-01
/BWST 1.7E-01 8.3E-01 TO-13-SCF /HPI-L-T 3.5E-01 6.5E-01 14 /TURBUS 3.8E-01 6.2E-01 5.1E-01
/BWST 1.7E-01 8.3E-01 TO-14-SCF 17 /TURBUS 3.8E-01 6.2E-01 1.6E-01
/EFW-T 5.4E-01 4.6E-01 TO-17-SCF /HPI-L-T 4.2E-01 5.8E-01 18 /TURBUS 3.8E-01 6.2E-01 2.8E-01
/EFW-T 5.4E-01 4.6E-01 TO-18-SCF 21 (Base Case) /TURBUS 3.8E-01 6.2E-01 2.3E-01
/PRVL-RES-T 1.0E-01 9.0E-01 TO-21-SCF /ASW 2.8E-01 7.2E-01
/HPI-L-T 4.2E-01 5.8E-01
IR 50-269/00-04 and 50-269/01-08 Table A.1. Sequence correction factors for the tornado event tree core damage sequences (contd).
Sequence event Branch point Branch point failure Branch point Sequence name success paths probability success probabilities correction factor1 21 (Change Case) /TURBUS 3.8E-01 6.2E-01 1.7E-01
/PRVL-RES-T 1.0E-01 9.0E-01 TO-21-SCF /ASW 4.7E-01 5.3E-01
/HPI-L-T 4.2E-01 5.8E-01 22 (Base Case) /TURBUS 3.8E-01 6.2E-01 4.0E-01
/PRVL-RES-T 1.0E-01 9.0E-01 TO-22-SCF /ASW 2.8E-01 7.2E-01 22 (Change Case) /TURBUS 3.8E-01 6.2E-01 2.9E-01
/PRVL-RES-T 1.0E-01 9.0E-01 TO-22-SCF /ASW 4.7E-01 5.3E-01 23 /TURBUS 3.8E-01 6.2E-01 5.6E-01
/PRVL-RES-T 1.0E-01 9.0E-01 TO-23-SCF 24 /TURBUS 3.8E-01 6.2E-01 6.2E-01 TO-24-SCF 26 /EFW-T 5.6E-02 9.4E-01 9.4E-01 TO-26-SCF 28 (Base Case) /PRVL-RES-T 1.0E-01 9.0E-01 6.5E-01
/ASW 2.8E-01 7.2E-01 TO-28-SCF 28 (Change Case) /PRVL-RES-T 1.0E-01 9.0E-01 4.7E-01
/ASW 4.7E-01 5.3E-01 TO-28-SCF 29 /PRVL-RES-T 1.0E-01 9.0E-01 9.0E-01 TO-29-SCF 30 /None 0.0E+00 1.0E+00 TO-30-SCF 1. Product of branch point success probabilitie SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 Attachment B - Fault Tree Logic Description New fault trees (i.e., those that are not included in the SPAR 2QA models [Ref. 5]) and those significantly modified (i.e., those that are included in the SPAR 2QA models [Ref. 5], but which required extensive revision) are discussed in more detail below. The fault trees are included in Attachment D.
TURBUS Tornado Winds Fail Safety-Related 4160 V Switchgear in the Turbine Building. This fault tree is used in the TURBUS top event in the TO event tree. Tornado damage results in 4 kV switchgear failure (ACP-TO-LP = 3.8E-1) is the single basic event in this fault tree. This fault tree was created to incorporate tornado-induced failure of the emergency buses in the turbine building based on the IPEEE [basic event BACK4160DEX].
BWST Tornado Winds Cause Failure of BWST. This fault tree is used in the BWST top event in the TO event tree. Borated water storage tank failure following a tornado (HPI-TNK-VF-BWST-T) is the single basic event in this fault tree. This basic event was pulled out of the HPI-L-T fault tree and modeled here in the event tree logic to simplify the branch point logic at other points in the event tree. The failure probability for this event was updated based on the IPEEE [basic event BTOWINDDEX]. Different probabilities were used in the IPEEE for failure of the BWST (HPI-TNK-VF-BWST-T), 0.13 for an F3 tornado and 0.17 for F4 or greater. To simplify the model, 0.17 was conservatively used in this analysis. The results of the analysis are not sensitive to this simplification.
EFW-T No or Insufficient Emergency Feedwater Flow During Tornado. This fault tree is used in the EFW-T top event in the TO event tree. Success is defined as one-out-of-three EFW pump trains delivering water to at least one-out-of-two steam generators. Mission time is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Not included in the model:
C Ability of motor-driven pump trains to feed opposite steam generator (e.g., motor-driven EFW pump B feeding steam generator A)
C Cross-connection to EFW system of other units C Failure of the testing/recirculation lines as a divergence C Actuation signal failures
SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 C Support system failures other than ac power C Testing/maintenance unavailabilities C Human errors of misalignment, miscalibration, etc. The SPAR 2QA model for the EFW system was modified to include the tornado-induced failures of:
C Upper surge tanks (UST), which are the safety-related condensate storage for the EFW system C EFW suction from the UST C EFW injection piping located in the East and West Penetration Rooms C Electrical power support systems Failure of the upper surge tank due to tornado (basic event EFW-TNK-FC-UST-T = 0.5)
failure probability in the EFW-T fault tree is based on the IPEEE [basic event BEFUSTWDEX]. The model was simplified to only include the upper surge tank (UST) supply because the hotwell will be unavailable following a tornado-induced loss of offsite power (see below). Portions of the EFW injection piping are located in the East and West Penetration Room Tornado-induced failure probabilities for these two rooms were added to the EFW-T fault tree. The failure probabilities for these basic events (BTO-WIND-DEX = 0.17 and BEF-PIPE-DEX = 0.3) are based on the IPEEE. Success requires undamaged piping in one penetration room. Transfers to Loss of AC Power on Bus . . . fault trees (ACP-3TD-T and ACP-3TE-T)
were changed to transfer to new fault trees that account for tornado-induced failure of:
C All three vital 4160-V buses in the turbine building C Offsite power C Keowee hydroelectric stations Tornado-induced failure of the three vital 4160-V buses in the turbine building is included under the top event and fault tree TURBUS.
10. The switchyard, overhead lines, and exposed transformers are expected to be rendered unavailable by the tornado. Portions of the emergency power fault trees, which transfer into several of the SPAR 2QA fault trees used, associated with the overhead feeder were deleted.
11. Tornado damage fails emergency power from Keowee (new basic event BKEOWEE =
0.31) replaced the common cause failure of Keowee hydro event (original basic event EPS-HEU-CF-KEOWE) in the division power fault trees (EP-MFB1-T, EP-MFB2-T). The failure probability of BKEOWEE is based on the IPEEE [basic event BACKHF5DEX].
Different probabilities were used in the IPEEE for the common-cause failure of the Keowee hydro units for F3, F4, and F5 tornadoes. The value for F5 tornadoes was used
SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 as a simplification in the analysis. The analysis results are insensitive to the use of this simplification.
12. A house event was ANDed with the failure logic for the motor-driven pumps in the EFW-T fault tree. This house event is set to TRUE or FALSE to turn on or off the failure logic for the motor-driven EFW pumps based on availability of power from the 4160 V switchgear in the turbine building.
PRVL-RES-T Pressurizer PORV and Block Valve and SRVs Fail to Reseat. This fault tree is used in the PRVL-RES-T top event in the TO event tree. Success requires closure of the pressurizer power-operated relief valve (PORV) or its block valve and reclosure of the safety relief valves (SRVs) on decreasing primary pressure. Operator action is modeled to close the block valve should the PORV fail to close. The PORV block valve failures are also modeled. Transfers to Loss of AC Power on Bus 3TC fault tree (ACP-3TC-T) was changed to transfer to new fault trees that account for tornado-induced failure of:
C All three vital 4160-V buses in the turbine building C Offsite power C Keowee hydroelectric stations Refer to the EFW-T discussion, above, for details.
ASW Station ASW and SSF ASW Systems Fail to Provide Secondary Side Heat Removal. This fault tree is used in the ASW top event in the TO event tree. Success is defined as manual aligning either the station ASW pump or the SSF ASW pump (these two pumps are redundant) to one of their suction sources and delivering water to at least one-out-of-two steam generators. Mission time is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. The SPAR Rev. 3i model for Standby Support Facility (SSF) auxiliary service water (ASW)
system was modified to add the following:
C Station ASW system failure logic based on the IPEEE modeling of the station ASW system, including the tornado-induced failure of the Keowee hydroelectric generator C Tornado-induced failure of ASW/EFW injection piping in the East and West Penetration Rooms The station ASW pump can provide simultaneous steam generator cooling to all three units. The suction source for this pump is lake water from the Unit 2 condenser circulating
SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 water intake piping. The station ASW switchgear is powered directly from Keowee via the CT4 transformer and underground feed. The station ASW pump, its switchgear, power cables, and suction piping are all protected from tornado wind and missile damage. The station ASW requires manual alignment. The station ASW is modeled under the top fault tree ASW. Portions of the station ASW/EFW injection piping are located in the East and West Penetration Rooms. Tornado-induced failure probabilities for these two rooms were added to the EFW-T fault tree. The failure probabilities for these basic events (BTO-WIND-DEX = 0.17 and BEF-PIPE-DEX = 0.3) are based on the IPEEE. Success requires intact piping in one penetration room. During a station blackout with a concurrent loss of normal and emergency feedwater systems, the SSF can be used to provide steam generator cooling and RCP cooling and makeup. The SSF is used under extreme emergency conditions and is a separate and independent means to achieve and maintain hot shutdown conditions. The features modeled in the SSF-ASW fault tree include:
C Tornado-proof SSF structure C SSF ASW system (different from the station ASW system)
C SSF electrical power system (Keowee or SSF diesel generator)
C SSF HVAC system C SSF systems, including the SSF diesel generator, require manual actuation and operation The SSF reactor coolant makeup (RCM) system is modeled under the SEALLOCA-T event tree top event. The SSF ASW system is designed to cool the reactor coolant system by providing steam generator cooling. One motor-driven SSF ASW pump powered by the SSF diesel generator serves all three units. The suction source is lake water from the Unit 2 condenser circulating water piping. The pump suction sources are not included in the model. Portions of the SSF-ASW/EFW injection piping is located in the West Penetration Roo The tornado-induced failure probability for this room was added to the EFW-T fault tre The failure probability for this basic event (BTO-WIND-DEX = 0.17) is based on the IPEEE. Electrical power can be supplied from either the Keowee hydroelectric station via the underground feeder or from a dedicated SSF diesel generator.
10. The SSF electrical power includes 4160-V ac, 208-V ac, and 124-V dc power. It consists of its own switchgear, control centers, batteries, battery chargers, and a diesel electric generator unit. The diesel generator requires jacket cooling provided by the SSF service water pump and heat exchangers. The SSF requires heating, ventilation, and air conditioning (HVAC) provided by two HVAC service water pumps and two HVAC air conditioning system SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 11. Tornado damage fails emergency power from Keowee (new basic event BKEOWEE =
0.31) replaced the common cause failure of Keowee hydro event (original basic event EPS-HEU-CF-KEOWE) in the SSF-POWER fault tree. The failure probability of BKEOWEE is based on the IPEEE [basic event BACKHF5DEX]. Different probabilities were used in the IPEEE for the common-cause failure of the Keowee hydro units for F3, F4, and F5 tornadoes. The value for F5 tornadoes was used as a simplification in the analysis. The analysis results are insensitive to the use of this simplification.
12. Operator fails to initiate standby shutdown facility (basic event SSF-XHE-XA-SSF-T =
0.25) failure probability was modified using the SPAR HRA methodology to account for the tornado-induced failures. Details of the calculation is provided in Attachment C.
SEALLOCA-T RCP Seals Fail During a Tornado. This fault tree is used in the SEALLOCA-T top event in the TO event tree. Success means that the SSF reactor coolant makeup system or HPI was successful in providing RCP seal cooling or that a seal LOCA did not occur. Failure means that a seal LOCA has occurred. This requires high pressure injection (top event HPI-L-T) and piggy-back recirculation (top event HPI-LONG) to be successful to avoid core damage. Two fault trees were used to model RCP seal LOCA. The SL-SSF-SUCCESS fault tree was substituted whenever ASW is successful to eliminate mutually exclusive events between the ASW fault tree and the SEALLOCA-T fault tree (SSF-POWER, SSF-XHE-XA-SSF-T). Both fault trees include the contribution of reactor coolant pump (RCP) seal failure (basic event RCS-MDP-LK-SEALS) and the tornado-induced failure of the SSF reactor coolant makeup (RCM) system. Oconee Unit 1 has RCP seal assembly O-rings that have not been qualified for high pressures and temperatures. For these seal assemblies, based on the Rhodes model (Refs. 7 and 8), if seal cooling is unavailable for over 10 minutes, the probability of failure (due to O-ring failure) is 1.0. For Units 2 and 3, which has enhanced seals, the probability of failure (due to O-ring failure) is 0.2 Following a tornado event, operators have the following options available to provide RCP seal cooling: (1) using the safe shutdown facility (SSF) reactor coolant makeup (RCM)
pumps, (2) HPI using the manual alignment (sequences 1 through 14), or (3) recovering the HPI system with temporary power from the SSF switchgear (sequences 15 through 30).
In the tornado event tree developed for this analysis, seal cooling provided by the SSF RCM pump is modeled in the SEALLOCA-T fault tree. Recovery of the HPI for the purpose of seal cooling is not explicitly modeled; however, recovery of HPI for maintaining RCS inventory is modeled in fault tree HPI-L-T and is after the SEALLOCA-T branch poin SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 Because of the potential for significant equipment damage following a tornado and the numerous recovery actions, no credit is taken for manually recovering seal cooling within 10 minutes for sequences 15 through 30. Recovery of seal cooling after 10 minutes is modeled by setting basic event RCS-MDP-LK-SEALS-T to 1.0 for Unit 1 and 0.22 for Units 2 and 3. For sequences 1 through 14, the use of 1.0 for Unit 1 and 0.22 for Units 2 and 3 is conservative. For these sequences, the turbine building buses and BWST remain intact. Therefore, RCP seal cooling from HPI is expected to only have a momentary interruption (< 1 minute) in operation while power supplies are automatically switched following the tornado-induced loss of offsite power. The results of the analysis are not sensitive to this simplification. The SSF reactor coolant makeup (RCM) pump provides seal injection cooling to all RCPs to all three plant units. The features modeled in the SSF RCM fault trees (SEALLOCA-T-2, SL-SSF-SUCCESS-1) include:
C Tornado-induced failure of the RCM injection piping in the West Penetration Room C RCM pump train C SSF power sources (SEALLOCA-T-2 only)
C Manual operator action to initiate the SSF (SEALLOCA-T-2 only)
A system description of the SSF and bases for failure probabilities of the SSF power source and manual initiation of the SSF are provided in ASW top event description. Portions of the SSF RCM injection piping are located in the West Penetration Room. The tornado-induced failure probability for this room is added to gate SEALLOCA-T-1 . The failure probability for this basic event (BTO-WIND-DEX = 0.17) is based on the IPEEE.
HPI-L-T No or Insufficient Flow from the high-pressure injection (HPI) during a tornado. This fault tree is used in the HPI-L top event in the TO event whenever reactor coolant is being lost (e.g., RCP seal LOCA, stuck-open SRV). Success is defined as one-out-of-three HPI pump trains delivering water from one of its suction sources to the reactor vessel. Mission time is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. Not included in the model:
C Failure of HPI recirculation line components (miniflow lines back to the BWST)
C Actuation signal failures C Support system failures other than ac power C Testing/maintenance unavailabilities C Human errors of misalignment, miscalibration, etc. The HPI-L fault tree from the SPAR 2QA model was modified as follows:
C A basic event (HPI-XHE-XM-SFP) was added that models the capability to align the suction of an HPI pump to the spent fuel poo SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 C The original basic event (HPI-TNK-VF-BWST) was removed from the HPI fault tree and converted into its own event tree top event (BWST). The suction source from the spent fuel pool is modeled under the fault tree associated with the HPI-LONG top event (see HPI-LONG discussion, below).
C A house event was ANDed with HPI-XHE-XM-SFP, and sequence logic rules were developed to use the appropriate failure probability depending upon the source available in each sequence (spent fuel pool versus BWST).
C Tornado-induced failure of the HPI piping in the East and West Penetration Rooms was added (see item #6).
C Tornado-induced failure electrical power support systems was added.
5. Operator fails to recover power to an HPI pump and align the suction to the spent fuel pool (basic event HPI-XHE-XM-SFP = 0.11) failure probability was modified using the SPAR HRA methodology to account for the tornado-induced failures. Details of the calculation is provided in Attachment C.
6. Portions of the HPI piping are located in the East and West Penetration Rooms. Tornado-induced failure probabilities for these two room are added to the HPI-L-T fault tree. The failure probabilities for these basic events (BTO-WIND-DEX = 0.17 and BEF-PIPE-DEX =
0.3) is based on the IPEEE. Success is HPI train dependent.
7. Transfers to Loss of AC Power on Bus ... fault trees (ACP-3TC-T, ACP-3TD-T, ACP-3TE-T) were changed to transfer to new fault trees that account for tornado-induced failure of:
C All three vital 4160-V buses in the turbine building C Offsite power C Keowee hydroelectric stations Refer to the EFW-T discussion, above, for detail SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 HPI-LONG Long-Term Heat Removal Not Available Following a Tornado. This fault tree is used in the top event HPI-LONG in the TO event tree. This branch point is entered upon success of the HPI-L-T. Success requires the adequate suction source (BWST or spent fuel pool) for HPI, and successful high-pressure recirculation and decay heat removal. Mission time is 24 hours2.777778e-4 days <br />0.00667 hours <br />3.968254e-5 weeks <br />9.132e-6 months <br />. This new fault tree HPI-LONG includes:
C The non-tornado-induced failure probability of the HPI suction sources (BWST and spent fuel pool)
C Tornado-induced failure probability of the low-pressure service water suction High-pressure recirculation (HPR) requires the HPI system operated with a low-pressure injection pump taking suction from the sump (piggy-back mode of operation). The low-pressure service water (LPSW) system provides cooling to the decay heat removal coolers. Failure of the LPSW system is dominated by two events: failure of power from the turbine building buses and failure of the LPSW suction source (the CCW intake structure). The tornado-induced failure of the three 4160V buses in the turbine building is included under the top event and fault tree TURBUS. The tornado-induced failure of the LPSW suction source is included in this fault tre The LPSW suction piping, which is vulnerable to tornado winds and tornado-generated missiles, is assigned a tornado-induced failure probability of 0.1, based in the IPEEE (Ref. 4). Considering that these tornado-induced failures dominate the failure probabilities of the LPSW and LPI systems, these systems were not modeled in this fault tree. The model assumes that the spent fuel pool is not damaged by the tornado (based on the same assumption in the IPEEE); therefore, the failure probability of the spent fuel pool is set to FALSE in the fault tree. The tornado-induced failure of the BWST is modeled earlier in the TO event tree using its own top event BWST. The failure of the spent fuel pool source is set to TRUE (probability of 1.0) to reflect the first condition modeled in this even SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 Attachment C - HRA Calculations Human error probability for operator to align the suction of an HPI pump to the spent fuel pool (HPI-XHE-SM-SFP)
This event was added to account for potential HPI recovery following loss of the BWST from a tornado. This human error probability was calculated using the SPAR HRA methodology (Ref. 11). The calculation tables are presented in Tables C.1 and C.2. The basis for selecting revised performance shaping factor (PSF) levels and the associated multipliers for tornado sequences are as follows:
Available time: Time will be critical during this event because of the loss of multiple systems as a result of the tornado. Diagnosis of the tornado-induced LOOP should be straightforward based on multiple, diverse indications available to the operato Determining the available equipment and course of action will take more effor However, the operator has approximately 4 hours4.62963e-5 days <br />0.00111 hours <br />6.613757e-6 weeks <br />1.522e-6 months <br /> before core uncovery, thus for the diagnostic task, Extra > 60 m was chosen for the available time. A multiplier of was used for the diagnostic task. After the diagnostic task is completed, the operators must then perform manual actions to align the pump suction and provide it with a stable power supply. These tasks could easily take up the time remaining to ensure injection occurs in time to prevent core uncovery, thus time available . time required was chosen for the operator action. A multiplier of 10 was used for the action tas Stress on the operators: Because this would be an infrequent and emergency situation (tornado) with multiple equipment failures (i.e., BWST, emergency switchgear), an extreme stress level and PSF were selected for the diagnostic portio The personnel carrying out the action will have a defined task before them and will be under less stress, but a value of high was still assigned. A multiplier of 5 was used for the diagnostic task and the action tas Complexity: This operation will involve activating the SSF. The SSF is used under extreme emergency conditions and is a separate and independent means to achieve and maintain hot shutdown conditions. The complexity of this activity is higher than other emergency activities, but it is defined in the plants Safety Analysis Report. A PSF of moderately complex was selected for this area. A multiplier of 2 was used for both the diagnostic task and the action tas Procedures: A specific procedure for transfer of the HPI system suction to the spent fuel pool exists. Therefore, a nominal PSF was selecte Training: Operators have received training on the procedure. Therefore, a nominal PSF was selecte SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 Table C.1. Aligning the suction of an HPI pump to the spent fuel pool following a tornado (HPI-XHE-SM-SFP) Diagnostic task failure probability Performance Value Shaping Factors PSF Levels Multiplier Basis Used 1. Available Time Inadequate [P(failure = 1.0)] a Barely adequate < 20 m 10 Nominal 30 m 1 Extra > 60 m b Expansive > 24 h 0.01 2. Stress Extreme 5 b 5 High 2 Nominal 1 3. Complexity Highly 5 2 Moderately 2 b Nominal 1 4. Experience/Training Low 10 1 Nominal 1 High 0.5 5. Procedures Not available 50 1 Available, but poor 5 Nominal 1 Diagnostic/symptom oriented 0.5 6. Ergonomics Missing/misleading 50 1 Poor 10 Nominal 1 Good 0.5 7. Fitness for Duty Unfit [P(failure = 1.0)] a 1 Degraded fitness 5 Nominal 1 8. Work Processes Poor 2 1 Nominal 1 Good 0.8 NOTES Total = (1)x(2)x(3)x(4)x(5)x(6)x(7)x(8) 1 a. Task failure probability is 1.0 regardless of other PSF Nominal Failure Probability 1.00E-02 b. See basis for change described on the previous pag Adjusted Probability = Total x Nominal 1.00E-02
IR 50-269/00-04 and 50-269/01-08 Table C.2. Aligning the suction of an HPI pump to the spent fuel pool following a tornado (HPI-XHE-SM-SFP) Physical operator action failure probability Performance Value Shaping Factors PSF Levels Multiplier Basis Used 1. Available Time Inadequate [P(failure = 1.0)] a 10 Time available i time required 10 b Nominal 1 Available > 50x time required 0.01 2. Stress Extreme 5 b 5 High 2 Nominal 1 3. Complexity Highly 5 2 Moderately 2 b Nominal 1 4. Experience/Training Low 3 1 Nominal 1 High 0.5 5. Procedures Not available 50 1 Available, but poor 5 Nominal 1 6. Ergonomics Missing/misleading 50 1 Poor 10 Nominal 1 Good 0.5 7. Fitness for Duty Unfit [P(failure = 1.0)] a 1 Degraded fitness 5 Nominal 1 8. Work Processes Poor 2 1 Nominal 1 Good 0.8 NOTES Total = (1)x(2)x(3)x(4)x(5)x(6)x(7)x(8) 100 a. Task failure probability is 1.0 regardless of other PSF Nominal Failure Probability 1.00E-03 b. See basis for change described on page 2 Adjusted Probability = Total x Nominal 1.00E-01 Total Diagnostic + Action 1.1E-01
IR 50-269/00-04 and 50-269/01-08 2. Human error probability for operators to initiate the standby shutdown facility following a tornado (SSF-XHE-XA-SSF)
The probability for this event was modified to account for the operators failing to successfully complete all of the actions to align pumps to their appropriate power supply and suction source following loss of the upper surge tank (UST) and BWST from a tornado. This human error probability was calculated using the SPAR HRA methodology (Ref. 11). There is no diagnosis activity associated with this action since it will be an automatic action following a tornado. The calculation table is presented in Table C.3. The basis for selecting revised PSF levels and the associated multipliers for tornado sequences are as follows:
Available time: Time will be critical during this event because of the loss of multiple systems as a result of the tornado. The licensees procedure AP 0/A/1700/025, Standby Shutdown Facility Emergency Operating Procedure, is used to establish the SSF. The licensee periodically practices this procedure. The procedure requires the operators to establish the SSF to meets its RCP cooling function within 10 minutes for Oconee Unit 1 and 20 minutes for Oconee Units 2 and 3. Based on discussions with the licensee, during training drills the time needed to implement this procedure is between 8 and 9 minutes. Thus time available . time required was chosen for the operator action. A multiplier of 10 was used for the action tas Stress on the operators: Because this would be an infrequent and emergency situation (tornado) with multiple equipment failures (i.e., BWST, UST, emergency switchgear), an extreme stress level and PSF were selected for the operator actio The personnel carrying out the action will have a defined task before them and will be under less stress, but a value of high was still assigned. A multiplier of 5 was used for the action tas Complexity: This operation will involve activating the SSF. The SSF is used under extreme emergency conditions and is a separate and independent means to achieve and maintain hot shutdown conditions. The complexity of this activity is higher than other emergency activities because it involves aligning equipment in unusual configurations. A PSF of highly complex was selected for this area. A multiplier of 5 was used for the action tas Procedures: A specific procedure for transfer of the HPI system suction to the spent fuel pool exists. Therefore, a nominal PSF was selecte Training: Operators have received training on the procedure. Therefore, a nominal PSF was selecte SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 Table C.3 Initiate the standby shutdown facility following a tornado (SSF-XHE-XA-SSF) Physical operator action failure probability Performance Value Shaping Factors PSF Levels Multiplier Basis Used 1. Available Time Inadequate [P(failure = 1.0)] a 10 Time available i time required 10 b Nominal 1 Available > 50x time required 0.01 2. Stress Extreme 5 b 5 High 2 Nominal 1 3. Complexity Highly 5 b 5 Moderately 2 Nominal 1 4. Experience/Training Low 3 1 Nominal 1 High 0.5 5. Procedures Not available 50 1 Available, but poor 5 Nominal 1 6. Ergonomics Missing/misleading 50 1 Poor 10 Nominal 1 Good 0.5 7. Fitness for Duty Unfit [P(failure = 1.0)] a 1 Degraded fitness 5 Nominal 1 8. Work Processes Poor 2 1 Nominal 1 Good 0.8 NOTES Total = (1)x(2)x(3)x(4)x(5)x(6)x(7)x(8) 250 a. Task failure probability is 1.0 regardless of other PSF Nominal Failure Probability 1.00E-03 b. See basis for change described on previous pag Adjusted Probability = Total x Nominal 2.50E-01 Total Action 2.5E-01
IR 50-269/00-04 and 50-269/01-08 Attachment D - Fault Tree Logic Models
SENSITIVE - NOT FOR PUBLIC DISCLOSURE
IR 50-269/00-04 and 50-269/01-08 Attachment E - Resolution of Comments A letter from Duke Energy Corporation (Duke) to NRC dated July 23, 2002 (Ref. 12), describes Dukes review of and comment on the Preliminary Precursor Analysis of the condition reported in Inspection Report Nos. 269/270/287/00-04 and 01-08. The NRC has reviewed these comments and has the following response:
Licensees comment: In the Licensees letter responding to the Preliminary ASP analysis, they made the following observation, Another issue that Duke encountered during its tornado analysis update was a problem with cut set solution error. Initially, it was observed that the total cut set frequency was not consistent with the overall tornado strike frequency and the overall failure probability of the Standby Shutdown Facility. It was further found that employing a Boolean Solution of the tornado fault tree model produced a CDF that is approximately 1/3 less than the cut set solution. This difference is due to limitations of the min cut upper bound methodology associated with the combination of basic events with high probabilities and a high level of dependency between cut sets. This issue should be investigated for the accident sequence precursor model to determine whether any error was introduced by the cut set solution technique and whether it had any significant impact on the incremental conditional core damage probability results.
Response: The NRC investigated the difference in the results that would be obtained by using the different calculation techniques. The Min/Max Quantification approach available in Saphire uses the exact probability quantification algorithm. This method more accurately models events when the cut set probabilities are high or complemented events appear in the cut sets.
To obtain the results presented here, five passes and a probability cut off of 1 x 10-15 were used. While the CCDP did decrease, so did the CDP, and the delta CCDP remained in the same range as when the Min-Cut Upper Bound approximation was used. From this comparison, the impact of using the Min/Max Quantification approach on the incremental conditional core damage probability results is insignifican SENSITIVE - NOT FOR PUBLIC DISCLOSURE